[composite:main]
use = egg:Paste#urlmap
/: barbican_version
/v1: barbican-api-keystone

# Use this pipeline for Barbican API - versions no authentication
[pipeline:barbican_version]
pipeline = versionapp

# Use this pipeline for Barbican API - DEFAULT no authentication
[pipeline:barbican_api]
pipeline = unauthenticated-context apiapp
#pipeline = keystone_authtoken context apiapp

#Use this pipeline to activate a repoze.profile middleware and HTTP port,
#  to provide profiling information for the REST API processing.
[pipeline:barbican-profile]
pipeline = unauthenticated-context egg:Paste#cgitb egg:Paste#httpexceptions profile apiapp

#Use this pipeline for keystone auth
[pipeline:barbican-api-keystone]
pipeline = keystone_authtoken context apiapp

[app:apiapp]
paste.app_factory = barbican.api.app:create_main_app

[app:versionapp]
paste.app_factory = barbican.api.app:create_version_app

[filter:simple]
paste.filter_factory = barbican.api.middleware.simple:SimpleFilter.factory

[filter:unauthenticated-context]
paste.filter_factory = barbican.api.middleware.context:UnauthenticatedContextMiddleware.factory

[filter:context]
paste.filter_factory = barbican.api.middleware.context:ContextMiddleware.factory

[filter:keystone_authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
#need ability to re-auth a token, thus admin url

insecure = {{ ssl_insecure }}
{% if SSLCACertificateFile != '' %}
cafile = {{ SSLCACertificateFile }}
{% endif %}
identity_uri = {{ keystone_proto }}://{{ keystone_internal_address }}:35357/
auth_url = {{ keystone_proto }}://{{ keystone_admin_address }}:35357/
auth_uri = {{ keystone_proto }}://{{ keystone_internal_address }}:5000/
user_domain_name = {{ barbican_domain_name }}
username = {{ barbican_admin_user }}
password = {{ barbican_admin_password }}
project_domain_name = {{ barbican_project_domain_name }}
project_name = {{ barbican_project_name }}
auth_plugin = password
region_name = {{ keystone_region_name }}
#admin_tenant_name = {{ barbican_project_name }}
#admin_user = {{ barbican_admin_user }}
#admin_password = {{ barbican_admin_password }}
#auth_version = v3.0
#delay failing perhaps to log the unauthorized request in barbican ..
#delay_auth_decision = true
# signing_dir is configurable, but the default behavior of the authtoken
# middleware should be sufficient.  It will create a temporary directory
# for the user the barbican process is running as.
signing_dir = /var/lib/barbican/cache
region_name = {{ keystone_region_name }}
memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host].ip.mgmt }}:11211{% if not loop.last %},{% endif %}{% endfor %}

token_cache_time = 300
revocation_cache_time = 60
# if your memcached server is shared, use these settings to avoid cache poisoning
memcache_security_strategy = ENCRYPT
memcache_secret_key = {{ memcache_secret_key }}


[filter:profile]
use = egg:repoze.profile
log_filename = myapp.profile
cachegrind_filename = cachegrind.out.myapp
discard_first_request = true
path = /__profile__
flush_at_shutdown = true
unwind = false
